AuthN CA middleware support [Fwd: [caops-wg] Draft Agenda]
Dear all, For the discussion on Friday's IGTF session, following up from the discussion we had at the last TAGPMA F2F meeting, the following document is the /very first and preliminary draft/ of the 'Request to MW Providers' Your comments are more then welcome (also if you're not physically at GGF). Regards, DavidG.
Would you like to discuss this in the IGTF session at GGF for a few minutes? I think it would make a great topic of discussion. And anyways I've pencilled you in.
Darcy
David Groep wrote:
Hi Tony, Jens, Scott, others,
On my to-do list for GGF CAOPS/IGTF session was still this request from the last TAGPMA F2F:
"e-Authentication
Mike: can we reflect the different LOAs in the middleware? Influence the way middleware is developed. Tony suggests IGTF writes a formal letter of requirements to the middleware developers. Policies is a good start. Scott mentions that MS Vista will support policies (as a RP). David will set up a group to summarise issues to be discussed in PMAs. Tony, Scott, Jens volunteer. TBD before GGF."
Essentially asking the M/W providers to support decision making based on Policy OIDs (and still to respect the RP-defined namespace constraints). To start of the discussion I put together a quick draft letter. When complete and approved, it should go out as an IGTF recommendation, so with the support from all three PMAs. The CAOPS-WG #2 session on the IGTF next week would be the obvious place to discuss this.
Can you give comments, so that we can distribute a draft version to the igtf-general list for wider comments shortly? In-line editing welcomed!
-------- Original Message -------- Subject: [caops-wg] Draft Agenda Date: Sun, 07 May 2006 21:48:04 -0400 From: Darcy Quesnel <darcy.quesnel@canarie.ca> To: caops-wg@ggf.org CAOPS Session, Friday May 12, 09:00 - 10:30, G407 - Introduction, 5 minutes - Draft Auditing Document, Yoshio, 10 minutes - Authentication Profile Document Review, Tony, 20 minutes - OCSP Document Finalization, Olle &c, 30 minutes - AOB IGTF Session, Friday May 12, 15:45 - 17:15, G404 - Introduction, 5 minutes - EUGridPMA update, 5-10 minutes - APGridPMA update, 5-10 minutes - TAGPMA update, 5-10 minutes - Auth'n Profiles discussion (does anyone have anything to discuss about particular auth'n profiles) - Middleware Authentication support, David Groep, 20 minutes ? - AOB -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Hi David the nameConstraints extension can almost provide the namespace constraints that you require, but it has some weaknesses due to its "trust all except" semantics. It is necessary that each application check that the authenticated name that is returned is a DN and not a name in some other name format, and that no other name forms exist in the subjectAltName extension. With those provisos, nameConstraints should work when cross certifying CAs or subordinate CAs regards David David Groep wrote:
Dear all,
For the discussion on Friday's IGTF session, following up from the discussion we had at the last TAGPMA F2F meeting, the following document is the /very first and preliminary draft/ of the 'Request to MW Providers'
Your comments are more then welcome (also if you're not physically at GGF).
Regards, DavidG.
Would you like to discuss this in the IGTF session at GGF for a few minutes? I think it would make a great topic of discussion. And anyways I've pencilled you in.
Darcy
David Groep wrote:
Hi Tony, Jens, Scott, others,
On my to-do list for GGF CAOPS/IGTF session was still this request from the last TAGPMA F2F:
"e-Authentication
Mike: can we reflect the different LOAs in the middleware? Influence the way middleware is developed. Tony suggests IGTF writes a formal letter of requirements to the middleware developers. Policies is a good start. Scott mentions that MS Vista will support policies (as a RP). David will set up a group to summarise issues to be discussed in PMAs. Tony, Scott, Jens volunteer. TBD before GGF."
Essentially asking the M/W providers to support decision making based on Policy OIDs (and still to respect the RP-defined namespace constraints). To start of the discussion I put together a quick draft letter. When complete and approved, it should go out as an IGTF recommendation, so with the support from all three PMAs. The CAOPS-WG #2 session on the IGTF next week would be the obvious place to discuss this.
Can you give comments, so that we can distribute a draft version to the igtf-general list for wider comments shortly? In-line editing welcomed!
-------- Original Message -------- Subject: [caops-wg] Draft Agenda Date: Sun, 07 May 2006 21:48:04 -0400 From: Darcy Quesnel <darcy.quesnel@canarie.ca> To: caops-wg@ggf.org
CAOPS Session, Friday May 12, 09:00 - 10:30, G407
- Introduction, 5 minutes - Draft Auditing Document, Yoshio, 10 minutes - Authentication Profile Document Review, Tony, 20 minutes - OCSP Document Finalization, Olle &c, 30 minutes - AOB
IGTF Session, Friday May 12, 15:45 - 17:15, G404
- Introduction, 5 minutes - EUGridPMA update, 5-10 minutes - APGridPMA update, 5-10 minutes - TAGPMA update, 5-10 minutes - Auth'n Profiles discussion (does anyone have anything to discuss about particular auth'n profiles) - Middleware Authentication support, David Groep, 20 minutes ? - AOB
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
David, I'm sure David will respond with a longer reply, but the short answer is "no". This is to indicate that the RP only honors subsets of the CA's namespace. /Olle On May 10, 2006, at 07:18, David Chadwick wrote: > Hi David > > the nameConstraints extension can almost provide the namespace > constraints that you require, but it has some weaknesses due to its > "trust all except" semantics. It is necessary that each application > check that the authenticated name that is returned is a DN and not > a name in some other name format, and that no other name forms > exist in the subjectAltName extension. With those provisos, > nameConstraints should work when cross certifying CAs or > subordinate CAs > > regards > > David > > > > > David Groep wrote: >> Dear all, >> For the discussion on Friday's IGTF session, following up from the >> discussion we had at the last TAGPMA F2F meeting, the following >> document >> is the /very first and preliminary draft/ of the 'Request to MW >> Providers' >> Your comments are more then welcome (also if you're not physically >> at GGF). >> Regards, >> DavidG. >>> Would you like to discuss this in the IGTF session at GGF for a >>> few minutes? I think it would make a great topic of discussion. >>> And anyways I've pencilled you in. >>> >>> >>> Darcy >>> >>> >>> David Groep wrote: >>> >>>> Hi Tony, Jens, Scott, others, >>>> >>>> On my to-do list for GGF CAOPS/IGTF session was still this >>>> request from >>>> the last TAGPMA F2F: >>>> >>>> "e-Authentication >>>> >>>> Mike: can we reflect the different LOAs in the middleware? >>>> Influence >>>> the way middleware is developed. Tony suggests IGTF writes a >>>> formal >>>> letter of requirements to the middleware developers. Policies >>>> is a >>>> good start. Scott mentions that MS Vista will support >>>> policies (as a >>>> RP). David will set up a group to summarise issues to be >>>> discussed in >>>> PMAs. Tony, Scott, Jens volunteer. TBD before GGF." >>>> >>>> Essentially asking the M/W providers to support decision making >>>> based >>>> on Policy OIDs (and still to respect the RP-defined namespace >>>> constraints). >>>> To start of the discussion I put together a quick draft letter. >>>> When >>>> complete and approved, it should go out as an IGTF >>>> recommendation, so >>>> with the support from all three PMAs. The CAOPS-WG #2 session on >>>> the >>>> IGTF next week would be the obvious place to discuss this. >>>> >>>> Can you give comments, so that we can distribute a draft version >>>> to the igtf-general list for wider comments shortly? >>>> In-line editing welcomed! >> -------- Original Message -------- >> Subject: [caops-wg] Draft Agenda >> Date: Sun, 07 May 2006 21:48:04 -0400 >> From: Darcy Quesnel <darcy.quesnel@canarie.ca> >> To: caops-wg@ggf.org >> CAOPS Session, Friday May 12, 09:00 - 10:30, G407 >> - Introduction, 5 minutes >> - Draft Auditing Document, Yoshio, 10 minutes >> - Authentication Profile Document Review, Tony, 20 minutes >> - OCSP Document Finalization, Olle &c, 30 minutes >> - AOB >> IGTF Session, Friday May 12, 15:45 - 17:15, G404 >> - Introduction, 5 minutes >> - EUGridPMA update, 5-10 minutes >> - APGridPMA update, 5-10 minutes >> - TAGPMA update, 5-10 minutes >> - Auth'n Profiles discussion (does anyone have anything to >> discuss about particular auth'n profiles) >> - Middleware Authentication support, David Groep, 20 minutes ? >> - AOB > > -- > > ***************************************************************** > David W. Chadwick, BSc PhD > Professor of Information Systems Security > The Computing Laboratory, University of Kent, Canterbury, CT2 7NF > Tel: +44 1227 82 3221 > Fax +44 1227 762 811 > Mobile: +44 77 96 44 7184 > Email: D.W.Chadwick@kent.ac.uk > Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html > Research Web site: http://sec.cs.kent.ac.uk > Entrust key validation string: MLJ9-DU5T-HV8J > PGP Key ID is 0xBC238DE5 > > ***************************************************************** >
Hi all, Olle Mulmo wrote:
I'm sure David will respond with a longer reply, but the short answer is "no". This is to indicate that the RP only honors subsets of the CA's namespace.
It's hard to add more substance to Olle's statement, but to put this in context: these namespace constraints are defined by relying parties (or by federations on their behalf) and must be enforced in addition to any nameConstraints in the certificates. In the "old-GAA" world from globus, these were represented as the ".signing_policy" files alongside the roots of trust and in the (near) future hopefully as a standard format if (we and) the MW providers come to an agreement. DavidG.
/Olle
On May 10, 2006, at 07:18, David Chadwick wrote:
Hi David
the nameConstraints extension can almost provide the namespace constraints that you require, but it has some weaknesses due to its "trust all except" semantics. It is necessary that each application check that the authenticated name that is returned is a DN and not a name in some other name format, and that no other name forms exist in the subjectAltName extension. With those provisos, nameConstraints should work when cross certifying CAs or subordinate CAs
regards
David
David Groep wrote:
Dear all, For the discussion on Friday's IGTF session, following up from the discussion we had at the last TAGPMA F2F meeting, the following document is the /very first and preliminary draft/ of the 'Request to MW Providers' Your comments are more then welcome (also if you're not physically at GGF). Regards, DavidG.
Would you like to discuss this in the IGTF session at GGF for a few minutes? I think it would make a great topic of discussion. And anyways I've pencilled you in.
Darcy
David Groep wrote:
Hi Tony, Jens, Scott, others,
On my to-do list for GGF CAOPS/IGTF session was still this request from the last TAGPMA F2F:
"e-Authentication
Mike: can we reflect the different LOAs in the middleware? Influence the way middleware is developed. Tony suggests IGTF writes a formal letter of requirements to the middleware developers. Policies is a good start. Scott mentions that MS Vista will support policies (as a RP). David will set up a group to summarise issues to be discussed in PMAs. Tony, Scott, Jens volunteer. TBD before GGF."
Essentially asking the M/W providers to support decision making based on Policy OIDs (and still to respect the RP-defined namespace constraints). To start of the discussion I put together a quick draft letter. When complete and approved, it should go out as an IGTF recommendation, so with the support from all three PMAs. The CAOPS-WG #2 session on the IGTF next week would be the obvious place to discuss this.
Can you give comments, so that we can distribute a draft version to the igtf-general list for wider comments shortly? In-line editing welcomed!
-------- Original Message -------- Subject: [caops-wg] Draft Agenda Date: Sun, 07 May 2006 21:48:04 -0400 From: Darcy Quesnel <darcy.quesnel@canarie.ca> To: caops-wg@ggf.org CAOPS Session, Friday May 12, 09:00 - 10:30, G407 - Introduction, 5 minutes - Draft Auditing Document, Yoshio, 10 minutes - Authentication Profile Document Review, Tony, 20 minutes - OCSP Document Finalization, Olle &c, 30 minutes - AOB IGTF Session, Friday May 12, 15:45 - 17:15, G404 - Introduction, 5 minutes - EUGridPMA update, 5-10 minutes - APGridPMA update, 5-10 minutes - TAGPMA update, 5-10 minutes - Auth'n Profiles discussion (does anyone have anything to discuss about particular auth'n profiles) - Middleware Authentication support, David Groep, 20 minutes ? - AOB
--
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
-- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
insures -> ensures This one the one hard enables -> This functionality enables "they accept from any [the] issuing authority to only those identifiers that are [agreed to be] subject to a specific Authentication Profile." (remove words in brackets) subsequent authorization decision -> ... decisions The last point ("make validation...") is too vaguely stated. Any certificate in the chain implies that the RP should honor arbitrarily Policy OIDs embedded in self-issued proxy certs. I suggest narrowing this down to EE and sub-CA certs for now. You could add another wishlist item that middleware providers should honor the same configuration syntax that controls the OID set and namespace constraints... (and the CAOPS group should quickly find volunteers that nail down that syntax). /Olle
Hi Olle, Olle Mulmo wrote:
... The last point ("make validation...") is too vaguely stated. Any certificate in the chain implies that the RP should honor arbitrarily Policy OIDs embedded in self-issued proxy certs. I suggest narrowing this down to EE and sub-CA certs for now.
Agreed. In a practical implementation, though, I would suggest that the policy allows a set of ranges of policy OIDs from a specific issuer, and that that range is configurable independently for each issuer or group of issuers. E.g. * from "The Banana CA" * allow only EE certs with oids 1.2.840.113612.5.2.3.1.99.(2-3,7).* (and maybe denial as well, although that will surely be a hot topic :-) To indicate only those EE certificates with the additional policy statements that the private key is stored in a peach(2), a pineapple(3) or an orange(7) or in any subspiecies thereof.
You could add another wishlist item that middleware providers should honor the same configuration syntax that controls the OID set and namespace constraints... (and the CAOPS group should quickly find volunteers that nail down that syntax).
Kind-of agree as well. Same syntax for all middlewares is certainly needed, a common (and simple) syntax for expressing RP-namespace constraints and OID constraints would be nice, but hard... Cheers, DavidG. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Hi David. David Groep wrote:
Dear all,
For the discussion on Friday's IGTF session, following up from the discussion we had at the last TAGPMA F2F meeting, the following document is the /very first and preliminary draft/ of the 'Request to MW Providers'
Your comments are more then welcome (also if you're not physically at GGF).
Just a note: Couldn't including and checking the IGTF profiles' policy OIDs be used for solving the namespace problem too? Regards -- Milan Sova sova@cesnet.cz
participants (4)
-
David Chadwick -
David Groep -
Milan Sova -
Olle Mulmo